Denial-of-service (DoS) attacks or distributed denial-of-service (DDoS) attacks may be an attempt to cause a server computer (e.g., a server computer used in a computing service environment) to be unavailable to users. DoS attacks may involve concerted efforts to prevent the server computer from functioning (or to perform less efficiently) for a certain period of time. For example, the DoS attack may be performed by saturating the server computer with external communication requests, such that the server computer cannot respond to legitimate traffic or responds so slowly that the server computer is effectively rendered as unavailable. More specifically, a server may be saturated with SYN requests. SYN is short for a “synchronize” message and the SYN request is the first step in establishing communication between two systems over the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol.
When a server receives a SYN request, the server responds with a SYN-ACK (synchronize and acknowledge) message. Under normal circumstances, the requesting computer may then respond with an ACK (acknowledge) message that establishes a connection between the two systems. In a SYN flood attack, an attacking computer may send a large number of SYN requests without sending back any ACK messages. Therefore, the server ends up waiting for multiple responses which tie up system resources. If the queue of response requests grows large enough, the server may not be able to respond to legitimate requests at all. This results in a slow or unresponsive server. DoS or DDoS attackers may target electronic sites or services hosted on web servers, such as cloud computing providers, e-commerce electronic pages, banks, credit card payment gateways, root name servers, etc.